Oddbean new post about | logout
oren_z0 | 3 months ago (raw) | export | reply | flag +7 
 nostr:nprofile1qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep0qy88wumn8ghj7mn0wvhxcmmv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcpr3mhxue69uhksmmyd33x7epwvdhhyctrd3jjuar0dak8xtcqyz8vs6kfuyyhnxvx2grgae4sqg3m3cext24m8l3gld4nkm3fftwfv4933km  nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcprfmhxue69uhhyetvv9ujuumgd96xvmmjvdjjummwv5hsz8nhwden5te0dehhxarj94c82c3wwajkcmr0wfjx2u3wdejhgtcpr4mhxue69uhkummnw3ezumt4w35ku7thv9kxcet59e3k7mf0qyv8wumn8ghj7un9d3shjtnrw4e8yetwwshxv7tf9uqzqv6kmesm89j8jvww3vs5pv46hqm7pqgvpm63twlf9hszfqzqhz7ajxvgda  Check out https://github.com/coracle-social/coracle/pull/409

I'm writing this note from my laptop's Chrome with a fork of #Coracle that communicates with an https://nsec.app bunker on my phone, and all the communication between my laptop and my phone is signed and encrypted using #nos2x  (instead of a random keypair).

This allows me to logout from #Coracle  and login again, without having to re-approve the permissions on nsec.app.

I think it will be even more useful with lockable extensions like nostr:nprofile1qyfhwumn8ghj7ur4wfcxcetsv9njuetn9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcppemhxue69uhkummn9ekx7mp0qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep0qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qyw8wumn8ghj7mn0wd68ytf39ehxymewv9hxwctwdyhxxme0qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uq3gamnwvaz7tmjv4kxz7tpvfkx2tn0wfnj7qg6waehxw309ahx7um5wgh8qmr9vf3ksctfdchx7un89uqjsamnwvaz7tm2damxjctv94n82cmgwd5kztt9w458jcn0d4sjuumrv9exzc3wd9kj7qpqgetal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlq2tufkf  , so you could logout from Coracle, lock the extension, and when you want to post something unlock the extension (with a password) and login to Coracle again - without having to re-approve anything in the bunker.
brugeman | 3 months ago (raw) | root | parent | reply | flag +1 
 So is this the way to get safe shared access to keys?! I have not thought it through or tried myself yet but looks super promising!

nostr:nevent1qqsx95hu5y6awpx4zyjfzfmqr4nd64r743klata9lm93jx047z7vk3gpz4mhxue69uhkummnw3ezummcw3ezuer9wchsygpnzm3d3rlercggn36lamwd3w4zyk9523268v2k4ash6lk8ndzlu5psgqqqqqqs9z3c9d
brugeman | 3 months ago (raw) | root | parent | reply | flag 
 Amazing! How does login flow look? Is there a special UI for this?
oren_z0 | 3 months ago (raw) | root | parent | reply | flag 
 When you login with user/bunker-url, it checks if window.nostr is defined and tries to call window.nostr.getPublicKey(). Otherwise it generates a temporary key like in the old behavior. I didn’t test what happens if the extension does not give permission for getPublicKey(), but if it returns undefined then the old behavior should run.

Thanks for the zap 🙏
brugeman | 3 months ago (raw) | root | parent | reply | flag 
 I see, this makes sense as a prototype but I think it deserves a separate ui - temp keys could be "connect with temporary key" and new flow as "connect with extension" or something like that.
oren_z0 | 3 months ago (raw) | root | parent | reply | flag +1 
 I find temporary keys more confusing. I think in case the extension couldn’t be found (or getPublicKey() fails), it should tell the user: “Please approve the encryption key on your bunker app: npub1…”.

Also, unrelated, it would be nice if nsec.app could temporarily pause permissions to an app without deleting it completely, and if the oauth-like popup specified in bold text: “Please enter the passphrase only if you trust this device to keep a copy of your main key!”.
brugeman | 3 months ago (raw) | root | parent | reply | flag 
 Yes it's all very confusing, we already have a dozen ways to login on nostr and no good terminology or conventions. Instead of temp keys we could say "Connect" and "Connect as username-from-extension" if it's present.
oren_z0 | 3 months ago (raw) | root | parent | reply | flag 
 Another option is to implement the bunker connection in the extension. The website will simply use the NIP07 api (simple “login with extension”) - and the extension will convert the operations to requests to the bunker!
When nsec.app extension?
brugeman | 3 months ago (raw) | root | parent | reply | flag 
 That could work too but nsec.app was specifically created to have a pure web based solution without an extension, so we don't have that on the roadmap atm
oren_z0 | 3 months ago (raw) | root | parent | reply | flag +1 
 They will work together. You have nsec.app on your phone and an extension on your laptop’s browser. The extension generates a key for the communication with the bunker, and you approve it once on your phone.

The websites that you browse don’t need to even know that you are using a bunker. They will simply use NIP07.
brugeman | 3 months ago (raw) | root | parent | reply | flag 
 I understand, but our primary use case for nsec.app is to onboard people on the web (on nostr sites) into a web-based key storage, without asking for extension install, so we're focusing on that part. If someone adds nip46 to extension I'm totally fine with that, it's just not our focus.
brugeman | 3 months ago (raw) | root | parent | reply | flag 
 Could you please elaborate on your second point. You can already delete app perms without deleting the app connections to trigger the popup on any further action. And maybe you are right, we should inform the user that if they login to nsec.app on some device then their main key will be downloaded and stored here. We could also include an option to auto-logout (delete key from device) after a while.